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1, INTRODUCTION 

Machine to Machine (M2M) communication, also called Machine Type Communication (MTC), 
standardized by the 3rd Generation Partnership Project (3GPP), is an emerging technology for complete 
mechanical automation and its rapid development will change our life styles vigorously [1]. M2M technology 
is attracting attention in the areas of standardization and industry, to which many forums and standardization 
organizations have actively participated, including the Institute of Electrical and Electronics Engineers 
(IEEE), the European Telecommunications Standards Institute (ETSI), the 3GPP and 3GPP2. Among these, 
3GPP has been considered MTC as the promising solution facilitating M2M communications. With the 
development of M2M technology, mobile network operators and research groups are paying more attention 
to efficiency, reliability and security requirements [2-3]. 

Security is of paramount importance in M2M communications [4], if M2M devices cannot securely 
access networks through efficient authentication, all applications involving M2M cannot be widely accepted. 
However, recent Authentication and Key Agreement (AKA) protocols dedicated to the 3GPP for Long Term 
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Evolution (LTE) or Evolved Packet System (EPS), known as EPS-AKA or for non-3GPP access networks, 
known as Extensible Authentication Protocol (EAP-AKA), cannot provide sufficient security. In addition, 
to support M2M communications, the 3GPP mobile operator must adapt its network to a large number of 
MTC Devices (MTCDs), which can overload its network resources and introduce congestion into the 
network on both data and control plans [5]. In fact, congestion can occur due to simultaneous authentication 
signaling messages from M2M devices [6-7]. If a large number of M2M devices in a group need to access the 
network at the same time, traditional authentication protocols (EPS-AKA or EAP-AKA) will suffer from a 
high signal overhead, leading to signaling, authentication and reduction of Quality of Service (QoS) of the 
network [8]. The reason is that each device must perform a complete AKA authentication procedure with the 
home authentication server, respectively. Given the reliability, these traditional AKA protocols are not 
suitable for large-scale M2M communications [9]. 

The main idea of proposed protocol in this paper is that the first MTC device in a group, which 
wants to access the 3GPP core network, performs a complete AKA authentication procedure. In this process, 
the first MTC device obtains group authentication information and a Group Temporary Key (GTK) on behalf 
of other MTC devices in the same group. Then, the Authentication, Authorization and Accounting (AAA) 
server 1S allowed to perform mutual authentication with the other MTC devices in the group using the 
obtained group authentication information and GTK without interacting with the Home Subscriber Server 
(HSS). The authentication delay can be reduced as a whole and the signaling overhead between the AAA 
server and the HSS is greatly reduced. The proposed AKA protocol for machine type communications 
combining Elliptic Curve based Diffie-Hellman (ECDH) [10] on the EAP protocol. 


2. SYSTEM ARCHITECTURE 

As shown in Figure 1, our considered network architecture is based on the 3GPP standard and can 
be divided into three areas [11-12] : Access networks, including the 3GPP access network, which are 
composed of Evolved NodeBs (eNBs) and non 3GPP access network such as a Wireless Local Area Network 
(WLAN), which consists of wireless Access Points (APs). Evolved Packet Core (EPC), including the Mobile 
Management Entity (MME) or AAA server that performs the access authentication function, the HSS, 
the Gateway Serving (S-GW) and data network Gateway Packet (P-GW). In our considered network 
architecture, the MTC server is located outside the EPC. 
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Figure 1. System architecture 


3. THE PROPOSED GROUP AUTHENTICATION PROTOCOL 

We present our proposed group authentication protocol for MTC [13], which has three phases: 
initialization phase, group authentication and key agreement phase and Group member state. Our scheme can 
facilitate non-3GPP MTC devices to access to 3GPP core network [14]. 


3.1. Group Initialization Phase 

In the group initialization phase, each MTC device has an Identity (ID) such as International Mobile 
Subscriber Identification (IMSI), which is a private identity that identifies MTC device and should be 
installed in the MTC device by the supplier in order to allow the MTC device to register in a 3GPP network. 
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Each MTC device calculates its Temporary ID (TID) furthermore these MTC devices has preshared a secret 
key with HSS and the MTC devices form groups based on certain principles (e.g., belong to the same 
application, within the same region, etc.), then the supplier provides a Group Identity (IDg,) and a Group Key 
(GK1) to each group for authentication. As shown in Table 1, we create an index table to manage information 
of MTC devices and group; the index table contains fields of group identity, MTC device ID for each 
MTC device. 


Table 1. Temporary Index Table of Gl 
Group Group ID MTCD ID 
Gl TIDoi TIDmrcpe1-1 


TIDmrcpc1 -n 


3.2. Group Authentication and Key Agreement Phase 

We assume that a secure communication channel between the AAA server and the HSS has already 
been established and can provide security services to the transmitted data. When non-3GPP MTC devices in 
G1 detect the AP, similarly, a group leader of MTCDs in the group (MTCDy,gaprr) will be selected. 
Authentication and key agreement phase as follows: 
Step 1: EAP request/identity 

MTCDg).; searches for the ID of the intended AP, when it finds the AP, the MTCDg,_; sends start 
message to start the authentication mechanism. 
Step 2: 

The AP requests the MTCDg).; Identity. 
Step 3: 

Upon receiving the EAP Request/Identity message sent by AP, firstly, the MTCDg).; computes 
TIDmtcpci-1 et TIDg1-1 respectively, and then MTCDg.; generates AUTH; as follows: 


TIDmurepai-1 = f'kG1-10Dyrrepei-1) (1) 
TIDg61.1 = f'xoi-1dDai) (2) 
Each MTCD calculates its Message Authentication Codes (MAC) as following: 
MACwrepai-1 = f’K¢1-11Drepa1-1![IDe1) (3) 
And each MTCD sends its MAC to MTCD_gapgr who generates: 
MACg: = MACwrepai-1 D MACwrrepai-2 D MACwrepai-3 SP, see e cece <P) MACwrcpai-n (4) 
AUTH, _ (MACwrtcpc1-1]| ose oe ee IMA Cyrrepet -nlIMACG)) (5) 
Step 4: Group authentication and data request message 
MTCDg,.; sends its parameters to the AAA server through AP, and then the AAA server finds out 
corresponding HSS according IDyss and forwards its parameters and its own IDaaa to the HSS by 
authentication data request message. 
Step 5: Group authentication data response 
When the HSS receives authentication data request message, it verifies the identity of device and the 


received MACwrcpci-1 and MACg;. Then HSS calculates a group temporary key GTKg. 
HSS generates Group Authentication Vector (GAV) and calculate AUTHyss and MACyss: 


GAV = (RANDIIXRESIIGTKIIAUTHHSS) (6) 
GTK = f'x¢(AUTHuss) (7) 
AUTHuss = (Russll[DysslIMACuss) (8) 
MACuss = f Ka (IDyssl[Russ) (9) 
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Step 6: 
The HSS sends [Dap, GAV, Kg; to the AAA server by a pre-establish security channel. 
Step 7: Group authentication request 
The AAA server receives and stores IDap, GAV, and Kg, and calculates MACaaa, and generates 
AUTHaaa. Also AAA generates a random value a and computes aP, and sends AUTHaa, and aP to device: 
AUTHaaa = (UIDaaallRaaalIMACa a alIMACuss) (10) 
MACaaa = f «oi AD aaallRaaallRuss) (11) 


Step 8: Group authentication response 
Firstly, MTCDg).; computes: 


GTK=f'x¢1(RussllIDyss) (12) 
Then MTCDg,.; verifies the received MACyss and MAC aaa: 

MAC’ uss=f Gi IDyssllRuss) (13) 
MAC’ aaa=f xoi(IDaaallRaaallRuss) (14) 


If verification passes the device computes bP by generating a random value b, also computes its own 
Master Session Key (MSK) as EAP-AKA and REScg. 


Kyrcpoii=f ork (abP) (15) 
RESgi= f’krcpae1-1DeillIDwrepe-illRe1) (16) 
And sends its to AAA. 


Step 9: Authentication acknowledge 

When the AAA server receives the group authentication response message, it compares RES, with 
XRESc;. The AAA server sends [Dap and MSK with EAP Success message to the AP. The AP verifies 
whether received [Dap equals its own ID or not. If the result is incorrect, the AP drops the MSK and then 
terminates the execution. Otherwise the AP stores the MSK. Then AP encrypts [Dap using the MSK and 
sends it with EAP Success message to MTCDg.1. 

The full authentication and key agreement procedure for one MTC device is completed. 
The procedure is shown in Figure 2. 


3.3. Group Member Joining/Leaving the Group 

In our scheme, the group key can be used to authenticate HSS and MME. Therefore, when group 
members join or leave the group, the GK need to be updated immediately since it will influence the security 
of the system. Moreover, if the GK is used to encrypt group messages, the group which formed by MTC 
devices requires backward and forward secrecy. Backward secrecy is required that a new MTC device cannot 
get messages exchanged before it joined the group. Forward secrecy is required that a leaving or expelled 
MTC device cannot continue accessing the group’s communication (if it keeps receiving the messages). 
When an MTC device wants to leave the group, the HSS will revoke the binding relationship between the 
MTC device and the group that it belongs to. Thus the MTC device cannot longer communicate with the core 
network as the group member. Moreover, to prevent the old MTC device to decrypt the new packets of the 
group which it was able to sniff, the group key must be updated when the old MTC device leaves the group. 
After the old MTC device leaves the group, all members of the group should share a new group key. 
Similarly, when an MTC device wants to join the group, an access control of the group is necessary for it, 
and it needs to perform a full AKA authentication procedure with the HSS. Meanwhile, the group key must 
be updated when the new MTC device wants to join a group. After the new MTC device joins the group, 
all members of the group should share a new group key. In that case, the new MTC device cannot decrypt the 
old packets of the group before it joins in. 
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Figure 2. Authentication procedure of our proposed 


4. SECURITY ANALYSIS 

We analyze both formal verification implemented by the security protocol verification tool 
AVISPA and security analysis properties of the proposed scheme, to show that the proposed can achieves all 
the security goals [15]. 


4.1. Mutual Authentication and Key Agreement 

Firstly, for the mutual authentication we can verify that the proposed protocol can provide a 
successful mutual authentication between MTC devices and the 3GPP Core Network (CN) by formal 
verification described as follows: all the MTC devices in the G1 first calculate their MACwtcpc1-1 and send 
them to the MTC leader. Then, the MTC leader collects all MAC, MACywrcpci.; and calculates MACg). By 
verifying MACg,, the HSS can identify all MTC devices and the group. Then, the HSS calculates MACysgs, 
generates AUTHyss and XRESg, and generates GAV for all MTC devices in Gl. The HSS sends GAV 
containing AUTHyss and XRESg to the AAA; then, the AAA calculates MACaaa and generates AUTH, aa, 
and sends them to all MTC devices in G1. By verifying AUTHyss/AUTH aaa, all MTC devices can trust the 
HSS and the AAA. Also by verifying RESg;, the AAA can authenticate all MTC devices in G1 [16]. 

For key agreement because all keys used among entities are computed without being transmitted 
over any insecure communication channels, the key agreement procedure is secure whether between the 
MTC device and the AAA server where can achieve through ECDH with symmetric key, and the MTC 
device and the AAA server can share a secret key Kytcpc1-1 or between the MTC device and the AP where is 
the same as EAP-AKA and the MTC device and AP can securely communicate with other by the MSK. 
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4.2. Resistance to Attack 

In this part we discribe various resistance methods to limit attacks in our model. 
4.2.1 Resistance to Replay Attack 

In our protocol, random numbers Ryss generated by the HSS and Raa, generated by the AAA server 
are temporarily used in generating challenge messages toward the opposite side, respectively. Since these 
random numbers used in each authentication procedure are different, even if an attacker acquires a random 
number in an authentication procedure, he still cannot fake challenge messages by reusing the random 
number in a new authentication procedure. 


4.2.2 Resistance to Impersonate Attack 

In our proposed, all the MTC devices of a group share a common GTK, the 3GPP CN can easily 
distinguish one MTC device from another even though all MTC devices use the same GTK, one MTC device 
cannot generate a correct parameters for another device MTC to perform a successful authentication with the 
HSS and cannot decrypt traffic between any other MTC device and the 3GPP CN. 


4.2.3 Resistance to Denial of Service (DoS) attack 

During the authentication for our protocol, a malicious MTC device may launch a DoS attack either 
to the HSS or to the AAA by sending an invalid MAC. However, the HSS can detect the invalid MAC and 
quickly re-authenticate the legitimate MTC devices in the group. 


4.2.4 Resistance to Man-in-the Middle (MITM) Attack 

In our proposed protocol, only the MTC devices and HSS can obtain real ID information of the 
devices and the group from encrypted temporary ID information. An attacker cannot derive and modify this 
information. The AP receives the EAP Success message with [Dap and MSK sent by the AAA server. After 
that, the AP can verify whether its own ID equal to the received ID or not. If not the procedure of 
authentication and key agreement will fail. Our protocol can resist against several types of man-in-the middle 
attack. 


4.3. Security Property 

From our analysis and comparison, we derive the properties of our proposed protocol with others 
AKA protocols AKA protocols: EAP-AKA [17], Mun’s protocol [18], EG-AKA [19] and GLARM-2 [20] 
protocol and show the results in Table 2. The comparison results demonstrate that our protocol can provide 
the most comprehensive security performance compared to the other AKA protocols. Providing group access 
authentication and heterogeneous network access are the two main advantages of our protocol. 
In particularly, our proposed protocol meets the following security properties. 


Table 2. Comparisons of Properties among the Authentication and Key Agreement Protocols 


Vulnerability EAP-AKA Mun’s protocol GLARM-2 EG-AKA Proposed 
Support group authentication No No Yes Yes Yes 
Type of cryptosystem Symmetric Symmetric and Symmetric Symmetric Symmetric 
ECDH and ECDH = and ECDH 
Ensure confidentiality of user identity No Yes Yes Yes Yes 
Resistance against replay attack Yes Yes Yes Yes Yes 
Resistance against the DoS attack No No Yes Yes Yes 
Resistance against the blocking of services Yes Yes Yes Yes Yes 


by an MITM 


4.4. Formal Verification 

This solution was checked by the security protocol verification tool AVISPA which indicated that it 
1s a very secure level. The main advantage of this tool is the ability to use different verification techniques on 
the same protocol specification. The protocol designer interacts with the tool by specifying a security 
problem in the High Level Protocol Specification Language (HLPSL). The HLPSL is an expressive, 
modular, role-based, formal language that is used to specify control-flow patterns, data-structures, alternative 
intruder models and complex security properties, as well as different cryptographic primitives and their 
algebraic properties [21]. 

The primary goal of our proposed protocol is to provide mutual AKA services between the MTC 
devices and AAA. We only need to verify that the proposed protocol can provide a successful mutual 
authentication between the MTC devices and the AAA server. We need to verify that the proposed protocol 
can provide a successful mutual authentication between the MTC devices and the AAA by using back-end 
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servers.In this paper, we only present the authentication analysis of one MTC device, basic roles of the AAA 
and MTC device and the authentication goals are shown in Figures 3, 4 and 5, respectively. 


role mtcd (MTCD, AAA: agent, GK: symmetric key, 
P1,F2,P3,F4 : hash func, 

SND, RCV; channel (dy)) 

played by MTCD 


/\Rmted' := new() 
/\SND (Rmted") 
Z. State = 2 


/\RCV ({F2(Raaa'. Rhss' .Rutod)} ({P3(IDhss'. Rhss')} GR).Raaa'. Rhss') 


/\witness (MTCD, AAA, aaa mtcd, Raaa', Rhss') 


/\ Rma':= (P4(Rey')) ({P3(IDhss'. Rhss')} GR) 
/\ secret (Fma', {AAA, MTCD}) 

3. state = 4 

/\SND ({Pl(Raaa. Key')} Rima) 

/\wrequest (MTCD, AAA, mtcd aaa, Raaa) 


Figure 3. Role of MT'CD 


goal 


role aaa (MTCD, AAA: agent, GX: symmetric key, P1,F2,P3,P4 : hash func, 


\Raaa’ := new () 

\IDhss' := new() 

\Rhss' := new() 

/\SND ({F2(Raaa'. Rhss'. Rated')} ({F3(IDhss'. Rhss')} GR). Raaa'.Rhss') 
‘\wrequest (AAA, TCD, aaa ated, Raa ,khss') 

), State = 3 | 

/\RCV({F1(Raaa. Rey')} Rha’) 

\witness (AAA, MTCD, mted aaa, Raaa) 


iss’ t= new() 
' = new() 
‘= {F4(Rey') } | (F3(IDhss'. Rhss'} } GR) 
secret (Rna', {AAA, MTCD}) 





Figure 4. Role of AAA 


authentication on mtcd aaa 


authentication on aaa_mtcd 


end goal 





Figure 5. Analysis goals of the model. 


We run the Security Protocol Animator (SPAN) for AVISPA in On-the-Fly-Model-Checker 
(OFMC) and SAT-based-Model-Checker (SATMC) modes to validate the above goals. The output of the 
model checking results 1s shown in Figures 6 and 7. According to this Figures, we can conclude that our 
scheme can achieve the security goals and withstand various attacks including MITM attacks, impersonation 
attacks, DoS and replay attacks under the test of AVISPA and SPAN using the OFMC and SATMC back- 
ends with a bounded number of sessions. 
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Figure 6. Results reported by the OFMC back-end Figure 7. Results reported by the SATMC back-end 


5. RESULTS AND DISCUSSION 
In this section, we evaluate the performance of the proposed scheme in terms of signaling overhead, 
bandwidth consumption and transmission cost. 


5.1. Signaling Overhead 

In order to evaluate the signaling overhead, we assume that the number of MTC device is n, 
the number of group is m and the number of (re)authentications 1s x. 

For EAP-AKA, authentication procedures performed by an MTC device require the total number of 
signaling messages, there are 12 signaling messages for one complete authentication procedure. Thus, the 
number of signaling message of a MTC device is 12x and the total number of signal message is 12nx. 

Mun’s protocol is a new authentication and key agreement protocol based on EAP-AKA designed 
for 3G-WLAN interworking. This protocol combines ECDH with symmetric key cryptosystem to overcome 
several vulnerabilities. In addition, their protocol provides Perfect Forward Secrecy (PFS) to guarantee 
stronger security, mutual authentication, and resistance to replay attack. In this protocol, the MTC device 
runs a full authentication using 8 messages at one time, a total of 8x messages is required. Similarly, when n 
MTC devices belonging to m group perform authentication, so a total of Mun’s protocol is 8nx messages. 

Concerning EG-AKA, a group AKA protocol for LTE networks is for 3GPP MTC devices to access 
the core network over non-3GPP air interfaces. Overall delay of the current AKA for a single user takes long 
because of a round-trip delay to the backend of the authentication server in a core network. In order to 
improve this delay, EG-AKA is designed to reduce the number of accessing times to the authentication 
server. The first MTC device initiating authentication in the group complete the whole procedure of 
authentication and the number of signaling message is 8. The rest devices of the group only need 6 signaling 
messages For our proposed protocol, to complete a group authentication procedure the first MTC needs 7 
message of signalization. The rest devices of the group only need 5 signaling messages. In this scenario, the 
number of the rest devices 1s n — m and the total number of signaling message is 7m + 5(n — m). If each 
device executes another x — | re-authentications, then the total number of signaling message is 7m+ 5(n—m) 
+ 5(x- 1). 

Figure 8 illustrates the comparison of the number of signaling messages with the change of the 
number of MTC devices. According to this Figures it can be seen that our proposed protocol is much less 
than that of other existing schemes and outperforms this authentication protocols this is because our protocol 
shifts the impact of the number of MTC devices on network to the impact of that of the number of MTC 
device groups on network. The proposed scheme can largely reduce the authentication signaling overhead 
and relieve the charge of eNBs/APs and the MME/AAA server. Thus, our scheme can ensure QoS for MTC 
devices without restriction on the access requests. 
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Figure 8. Comparison of signaling overhead 


5.2. Bandwidth Consumption 

In order to analyze the bandwidth consumption, we assume that x AVs are transmitted every time 
the HSS successfully authenticates one MTC device, and there are n MTC devices forming m groups. 
Table 3 shows the setting of parameters for evaluating bandwidth consumption. 


Table 3. Setting of Parameters 


Parameters Value (bits) 
TID/ID 128 
GTK 128 
XRES/RES 128 
RAND/R 128 
ECDH key 192 
MAC 64 


The bandwidth consumption of AKA protocols are as follows, where bwfirst represents the 
bandwidth consumption of the authentication of the first MTCD. Bandwidth analysis of EAP-AKA: the sizes 
of authentication messages are calculated as follows: 


bWrirst = Dj-1lMessage;| = 704 + 608x bits (17) 


The overall bandwidth consumption for n devices is calculated as n x (704 + 608x). 
Bandwidth analysis of Mun’s protocol: the sizes of authentication messages are calculated as follows: 


bWrirst = Li=ilMessage;| = 2432 bits (18) 


The overall bandwidth consumption for n devices is calculated as n x 2432. Bandwidth analysis of 
EG-AKA: the sizes of authentication messages are calculated as follows: 


bWrirst = Xj-1|Message;| = 2688 bits (19) 

DWremaining = dj=1|Message;| = 1024 bits (20) 
Where bwremaining represents the bandwidth consumption of authentication of each remaining MTC 
devices. 

The overall bandwidth consumption for n devices 1s calculated as m x 2688 + (n — m) x 1024. 


Bandwidth analysis of the proposed protocol: the sizes of authentication messages are calculated as follows: 


bWrirst = Lj-1|Message;| = 2816 bits (21) 
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Messagel = 3IIDI + IRI + IMACI = 576 bits. 
Message2 = 4IIDI + IRI + IMACI = 704 bits. 
Message3 = 2IRI + IXRESI + IGTKI + IIDI = 640 bits. 
Message4 = IRI + IECDH keyl = 320 bits. 

Message5 =IRESI + IECDH keyl = 320 bits. 
Message6 = IIDI + IMSKI = 256 bits. 


bWremaining = dj=1|Message;| = 960 bits (22) 


Where bwremaining represents the bandwidth consumption of authentication of each remaining MTC 
devices. 
Messagel = IRI + IMACI + IECDH keyl = 384 bits. 
Message2 = IRESI + IECDH keyl = 320 bits. 
Message3 = IIDI + IMSKI = 256 bits. 
The overall bandwidth consumption for n devices is calculated as 2816 x m +960 (n — m) bits. 

We present the bandwidth consumption comparison of the proposed scheme and other relative AKA 
protocols. The comparison of bandwidth consumption is shown in Figure 9. From Figures, we can see that 
the bandwidth consumption of our proposed protocol is better than that of existing schemes. 
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Figure 9. Comparison of bandwidth consumption 


5.3. Computational Delays 

We mainly consider the cost of the following operations cryptographic according to [22] including a 
point multiplication Tu , a pairing operation T),i;; and a map to point hash operation Ti) and the hash 
operation Thash. The cost of XOR can be negligible. Table 4 demonstrates the average elapsed time of five 
cryptographic operations. 


Table 4. Time Cost of Cryptographic Operations used in Comparing Computational Delays 


Operation Symbol — Time (us) 
HMAC-SHA-256 Tieeh 67 
Multiplication over elliptic curve Dinad 612 
Addition over elliptic curve Ea 125 
MaptoPoint hash function Tintp 925 
Pairing T pair 4514 


The AAA and the MME in the core network and the devices execute many cryptographic operations 
in the process of message generation. We analyzed these cryptographic operations in each message and 
summed the elapsed time of the operations for all messages that consist of the AKA as a way to measure and 
compare the computational delays of the standard protocol EAP-AKA and our proposed. 
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Moreover, n represents the number of MTCDs in a group; m represents the number of groups. 
We present the computational delays comparison of the proposed scheme and other relative AKA protocols. 

From the computational delays demanded by the total network, based on the following 
computations, we elaborately evaluate the computational delay for our proposed where the network has to 
compute all keys and authentication parameters, which takes (8T hash) X 1 + 2Thash X M+ 4 Tin X n. For EAP- 
AKA, the delay takes 12Thash X n X m. 

We compared the computational delays of the proposed scheme and EAP-AKA protocol in 
Figure 10 with different values of m. From the figures, we can clearly see that the computational delays of 
our proposed protocol is much less than EAP-AKA when the number of groups take value bigger than 2. 
However, when the number of groups equal to 2 the computational delays of our solution is higher than EAP- 
AKA this is due to the addition of concept of group authentication in the proposed scheme. 
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Figure 10. Computational delays of EAP-AKA and proposed protocols 


6. CONCLUSION 

In this paper, we have proposed a new group authentication and key agreement scheme for MTC 
communications under the EAP framework that supports the group authentication where the AAA server can 
authenticate a massive group of MTC devices in 3GPP network in the same group simultaneously. 
Formal verification and security analysis show that the proposed protocol can provide robust security and 
fulfill its design goals. In addition, the performance evaluation shows that our proposition is more efficient 
and achieves better performance than the existing schemes in terms of signaling overhead, bandwidth 
consumption and computational delay. 
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